SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX550 VPN network cannot access internal network

    Posted 12-03-2019 08:32

    Hi all, I have cluster SRX550 and formed dynamic VPN via J-web VPN Wizard.

    Now I can use Pulse Secure to connect this VPN form outside network, after connect VPN I get the ip address 192.168.168.x/24

    However,   I cannot access the internal vlan 128 network after connect VPN (fail to ping 172.16.128.1)

     

    Please find  SRX550 config below for your reference.


    set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 192.168.168.0/24

    set security policies from-zone WAN to-zone Internal policy policy_in_wizard_dyn_vpn match source-address any
    set security policies from-zone WAN to-zone Internal policy policy_in_wizard_dyn_vpn match destination-address any
    set security policies from-zone WAN to-zone Internal policy policy_in_wizard_dyn_vpn match application any
    set security policies from-zone WAN to-zone Internal policy policy_in_wizard_dyn_vpn then permit tunnel ipsec-vpn wizard_dyn_vpn

    set access profile remote_access_profile address-assignment pool dyn-vpn-address-pool
    set access address-assignment pool dyn-vpn-address-pool family inet network 192.168.168.0/24
    set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 8.8.8.8/32

     

    set security zones security-zone Internal interfaces reth1.128 host-inbound-traffic system-services all
    set security zones security-zone Internal interfaces reth1.128 host-inbound-traffic protocols all

    set interfaces reth1 unit 128 vlan-id 128
    set interfaces reth1 unit 128 family inet address 172.16.128.1/24

    set vlans vlan128 vlan-id 128

     

    May I know is there missed some config (maybe policy or route) ? How can I access the vlan 128 network after connect VPN form outside network? Thanks!!

     

     



  • 2.  RE: SRX550 VPN network cannot access internal network

    Posted 12-03-2019 10:08

    your 'remote-protected-ressources' should be your internal network(s) - so basically you have to use this config line instead:

     

    set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 172.16.128.0/24

    Please change this and let us know of the result 🙂



  • 3.  RE: SRX550 VPN network cannot access internal network

    Posted 12-03-2019 20:07

    Hi,

    I have used this config instead but I still cannot access internal network 172.16.128.x.


    set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 172.16.128.0/24



  • 4.  RE: SRX550 VPN network cannot access internal network

    Posted 12-03-2019 21:34

    Hi Henry

     

    I believe there is a limitation with host-inbound-traffic coming via Dynamic VPN. Can you try pinging an address on subnet 172.16.128.0/24 different from 172.16.128.1?

     



  • 5.  RE: SRX550 VPN network cannot access internal network

    Posted 12-04-2019 03:51
    Hi, there have a dell switch (172.16.128.2) connected to SRX but I cannot ping it successfully in VPN network. How can I remove the limitation with host-inbound-traffic coming via Dynamic VPN


  • 6.  RE: SRX550 VPN network cannot access internal network

    Posted 12-04-2019 07:24
    There is a very strange phenomenon. I have successfully ping 172.16.128.1 via dynamic VPN in this morning and afternoon. But it is fail to ping again after reconnect the VPN session.


  • 7.  RE: SRX550 VPN network cannot access internal network
    Best Answer

    Posted 12-04-2019 08:02

    Henry you might as well be hitting the following problem:

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=TSB17441&actp=METADATA

     



  • 8.  RE: SRX550 VPN network cannot access internal network

    Posted 12-05-2019 05:48

    It works! Thanks.